diff --git a/.env.sample b/.env.sample
index f6a5251..a2b7899 100644
--- a/.env.sample
+++ b/.env.sample
@@ -38,3 +38,10 @@ CRON_SCHEDULE='30 3 * * *'
 # it overwrites the RESTIC_REPOSITORY variable
 #SECRET_RESTIC_REPO_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"
+
+# Restic exporter - prometheus metrics
+#COMPOSE_FILE="$COMPOSE_FILE:compose.exporter.yml"
+#LETS_ENCRYPT_ENV=production
+#REFRESH_INTERVAL=86400 # once per day, be cautious with small numbers, as this can create traffic
+#METRICS_DOMAIN=backup.example.com
+#TIMEZONE=Europe/Berlin
\ No newline at end of file
diff --git a/compose.exporter.yml b/compose.exporter.yml
new file mode 100644
index 0000000..f5c4461
--- /dev/null
+++ b/compose.exporter.yml
@@ -0,0 +1,48 @@
+---
+version: "3.8"
+
+services:
+  restic-exporter:
+    image: ngosang/restic-exporter:2.0.2
+    environment:
+      - TZ=${TIMEZONE}
+      - RESTIC_REPOSITORY
+      - RESTIC_PASSWORD_FILE=/run/secrets/restic_password
+      - REFRESH_INTERVAL
+      - METRICS_DOMAIN
+    volumes:
+      - data:/data
+      - cache:/root/.cache/restic
+    secrets:
+      - restic_password
+    configs:
+      - source: entrypoint
+        target: /entrypoint.sh
+        mode: 666
+    entrypoint: /entrypoint.sh
+    command: /usr/local/bin/python -u /app/exporter.py
+    networks:
+      - proxy
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}-metrics.loadbalancer.server.port=8001"
+        - "traefik.http.routers.${STACK_NAME}-metrics.rule=Host(`${METRICS_DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}-metrics.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}-metrics.tls=true"
+        - "traefik.http.routers.${STACK_NAME}-metrics.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}-metrics.middlewares=basicauth@file"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8001/metrics"]
+      interval: 1m
+      timeout: 10s
+      retries: 60
+      start_period: 1m
+
+volumes:
+  cache:
+  data:
+
+networks:
+  proxy:
+    external: true
\ No newline at end of file
diff --git a/compose.ssh.yml b/compose.ssh.yml
index bb48647..189bf49 100644
--- a/compose.ssh.yml
+++ b/compose.ssh.yml
@@ -1,16 +1,34 @@
 ---
 version: "3.8"
+
+x-ssh_env: &ssh_env
+  - SSH_KEY_FILE=/run/secrets/ssh_key
+  - SSH_HOST_KEY
+
+x-ssh_secrets: &ssh_secrets
+  - source: ssh_key
+    mode: 0400
+
+x-ssh_configs: &ssh_configs
+  - source: ssh_config
+    target: /root/.ssh/config
+
 services:
   app:
     environment:
-      - SSH_KEY_FILE=/run/secrets/ssh_key
-      - SSH_HOST_KEY
+      *ssh_env
     secrets:
-      - source: ssh_key
-        mode: 0400
+      *ssh_secrets
     configs:
-      - source: ssh_config
-        target: /root/.ssh/config
+      *ssh_configs
+
+  restic-exporter:
+    environment:
+      *ssh_env
+    secrets:
+      *ssh_secrets
+    configs:
+      *ssh_configs
 
 secrets:
   ssh_key:
diff --git a/entrypoint.sh b/entrypoint.sh
index 76fe1c7..1d1aead 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,14 +2,25 @@
 
 set -e
 
+echo "executing entrypoint.sh..."
+
 if [ -n "$SSH_HOST_KEY" ]
 then
+    echo "setting ssh known hosts"
     echo "$SSH_HOST_KEY" > /root/.ssh/known_hosts
 fi
 
-cron_schedule="${CRON_SCHEDULE:?CRON_SCHEDULE not set}"
+if [ -n "$CRON_SCHEDULE" ]
+then
+    echo "setting up cronjob..."
+    cron_schedule="${CRON_SCHEDULE:?CRON_SCHEDULE not set}"
 
-echo "$cron_schedule /cronjob.sh" | crontab -
-crontab -l
+    echo "$cron_schedule /cronjob.sh" | crontab -
+    crontab -l
 
-crond -f -d8 -L /dev/stdout
+    crond -f -d8 -L /dev/stdout
+else
+    # startup for exporter
+    apk --no-cache add curl
+    exec /sbin/tini -- "$@"
+fi